No root for you, or how to stop worrying and love AWS China

Making resilient CICD pipelines requires careful planning

Got Tips? 9 Reg comments
Nikki Bailey, Illumina

If you open an AWS account in China, you don't get a root account; instead, one of Amazon's Chinese operating partners, Sinnet or NWCD, has root access and creates an IAM admin user for you.

Nikki Bailey, senior devops engineer at Illumina, a company that builds gear to sequence genetic data, explained as much at the DevOps-focused Continuous Lifecycle London on Thursday.

She did so to illustrate the challenge of making a CICD pipeline work across the cloud environment.

Unusual cloud over the ocean. photo by shutterstock

Multi-cloud Cloudian controllers now run in AWS, Azure and Google


IT people like to talk about "the cloud" as if it were a singular thing. But companies running applications in the cloud still have to deal with political boundaries – thanks GDPR – and technical ones too. The cloud turns out to be a rather fragmented place.

Bailey said AWS China demands different design patterns for software pipelines. That of course assumes the marketing need to operate in China outweighs concerns from the information security group about ceding root access to a third-party.

There's no account sharing between China and the rest of AWS, she explained. Beyond the lack of root access, other security features are missing: There's no Key Management Service (KMS) and no CloudRail log file validation.

Neither is there any managed DNS service – no Route53, sorry about that.

Oh, and you need to apply for a permit to serve traffic on port 80 or 443. Then there are potential issues arising from the so-called Great Firewall.

Differences of this sort tend to be unanticipated in configuration scripts.

"Our process for deploying was extremely context dependent and environmentally specific," explained Bailey.

Inconsistencies between environments tend to add complexity to deployment tooling, she said, and complexity makes automation difficult to maintain, which in turn means time lost to debugging.

To overcome these challenges, Bailey stressed the need for strong DevOps practices to ensure that automation doesn't break down in different environments. This involves having teams work cross-functionally, making apps easy to validate and debug, automated undifferentiated work with CICD jobs as much as possible, and minimizing divergence between environments.

"If you're working in a cloud environment, your infrastructure is part of your code base to some extent," she said.

For China, Illumina went a step further. The company decided to segregate AWS China from its corporate network. Adjustments had to be made to its Jenkins pipelines to account for the slow transit through firewalled networks. And the biz ended up shipping pre-built machine images to AWS China rather than source code, even through transmitting the multi-gigabyte files could take up to 20 hours.

In short, to get to the point of set-and-forget code deployment, there's more to think about than you thought. ®

Sponsored: Webcast: Simplify data protection on AWS


Biting the hand that feeds IT © 1998–2020